CVE-2024-7594 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-7594 PUBLISHED

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

EPSS 0.60% · 69.4th percentile

Risk Scores

EPSS Score

0.60%

69.4th percentile

Affected Products

Vendor	Product	Versions
Bitnami	vault	1.7.7
Bitnami	vault	1.7.7

Timeline

Sep 26, 2024 CVE Published
Sep 26, 2024 PoC Published
Sep 27, 2024 EPSS Score
Oct 5, 2024 Coalition ESS Score
Oct 16, 2024 EPSS Score
Nov 3, 2024 EPSS Score
Nov 22, 2024 EPSS Score
Dec 12, 2024 EPSS Score
Dec 31, 2024 EPSS Score
Jan 10, 2025 PoC Published
Jan 18, 2025 EPSS Score
Feb 6, 2025 EPSS Score

References

Open in Interactive Console →